It said Lifecycle Marketing had sold the data for use in the 2017 general election campaign without disclosing it might do so.

The firm disputes the findings.

It said it had not been given an opportunity to respond to the Information Commissioner’s Office’s complaints before the report was published

“As a result, details of the ICO’s findings, including those being reported by the press, contain significant factual inaccuracies which we trust will be corrected,” said a spokeswoman for Lifecycle Marketing.

She declined, however, to say what the errors were.

It is common for political parties to buy personal information to target their campaigns, but appropriate consent must have been obtained by the providers.

Labour has said that it will review its “approach to acquiring data from third parties” in light of the report.

One legal expert said the intervention was likely to cause wider concern.

Image copyrightGetty Images

Image caption
Labour gained 32 seats in the 2017 general election

“After the Obama campaigns, political parties saw the need to step up their data game, and at the time the playing field was not worked out,” said Sam Fowles from Cornerstone Barristers.

“They will certainly be worried now about whether they overstepped the mark in light of this.”

Mothers and children

It said it would not normally announce its intention to impose a fine until it had completed its inquiries, but believed in this case that there was an “overriding public interest to do so”.

The ICO said that on 5 May 2017, Lifecycle Marketing has supplied 1,065,200 records to the data broker Experian Marketing Services for use by Labour.

Each record included:

the name of the parent who had joined Emma’s Diary

their home address

whether children up to the age of five were present

the birth dates of the mother and children

The ICO said the Buckinghamshire-based Lifecycle Marketing had understood the data would be used by a mail campaign promoting Labour’s family-friendly policies in 106 constituencies.

Free nappies

Emma’s Diary is promoted by the Royal College of General Practitioners among others, and its information packs are distributed by many GPs and midwives.

Image copyrightGetty Images

Image caption
Many families sign up to Emma’s Diary online or via its registration forms

The benefits of joining include tailored emails with pregnancy and breastfeeding advice, as well as discount vouchers for high street stores and gift packs including nappies, baby wipes and other similar items.

A companion app also allows mothers-to-be to keep a journal of their pregnancies and make a time-lapse video of their growing bumps.

The business’ privacy policy stated that in return for such benefits, users permit third parties to contact them for marketing purposes.

But while the policy had listed several business sectors and specific companies that might get the data, the ICO said there had been no mention of political parties.

In fact, the watchdog added, the policy was only amended to do so in January 2018 after the ICO had told the company it was under investigation.

This, the regulator concluded, breached the Data Protection Act’s “fairness” requirement that organisations be transparent about how gathered personal data might be used.

It added that there may also have been a breach of the European Convention on Human Rights.

In considering the size of its penalty, the watchdog said it had taken into account that it understood Lifecycle Marketing had not shared personal data with a political party on any other occasion, and had expected the information to be deleted after the general election vote.

But it added that it was not clear how the firm could be confident that the data had indeed been permanently erased.

The ICO added that it would make a final ruling after hearing back from Lifecycle Marketing, and would confirm the size of the penalty on or after 30 July.

“[We] will be submitting our written representations to challenge the ICO’s findings in accordance with the usual process,” said a spokeswoman for Lifecycle Marketing in response.

Careful thinking

The Royal College of General Practitioners acknowledged it had a “long-running relationship” with Emma’s Diary but added that it “does not hold or receive data and has had no involvement in the case being investigated”.

Experian Marketing Services said that it was aware of the ICO’s concerns and would “remain vigilant when it comes to data security and integrity”.

Image copyrightGetty Images

Image caption
A new law – GDPR – has introduced tougher penalties for data breaches

The ICO has said it wants the UK’s 11 main political parties to have their data-sharing practices audited later this year and said it also has “outstanding enquiries with a number of data brokers”.

“[In the past] there had been a much looser interpretation of the fairness principle, and it wasn’t applied as tightly and rigorously as it has been in this case,” Mr Fowles explained.

“Now we see this is the direction of travel for the Information Commissioner, companies and political parties are going to have to think very carefully about what they told people when they took data from them.”

Did you sign up to Emma’s Diary? How do you feel about your personal data potentially being shared without your consent? Email haveyoursay@bbc.co.uk.

Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways: